tools/salt-install/config_examples/multi_host/aws/pillars/nginx_passenger.sls

   1 ---
   2 # Copyright (C) The Arvados Authors. All rights reserved.
   3 #
   4 # SPDX-License-Identifier: AGPL-3.0
   5
   6 {%- set passenger_pkg = 'nginx-mod-http-passenger'
   7                           if grains.osfinger in ('CentOS Linux-7') else
   8                         'libnginx-mod-http-passenger' %}
   9 {%- set passenger_mod = '/usr/lib64/nginx/modules/ngx_http_passenger_module.so'
  10                           if grains.osfinger in ('CentOS Linux-7',) else
  11                         '/usr/lib/nginx/modules/ngx_http_passenger_module.so' %}
  12 {%- set passenger_ruby = '/usr/local/rvm/rubies/ruby-2.7.2/bin/ruby'
  13                            if grains.osfinger in ('CentOS Linux-7', 'Ubuntu-18.04', 'Debian-10') else
  14                          '/usr/bin/ruby' %}
  15
  16 ### NGINX
  17 nginx:
  18   __NGINX_INSTALL_SOURCE__: true
  19   lookup:
  20     passenger_package: {{ passenger_pkg }}
  21   ### PASSENGER
  22   passenger:
  23     passenger_ruby: {{ passenger_ruby }}
  24
  25   ### SERVER
  26   server:
  27     config:
  28       # Needed for RVM, harmless otherwise. Cf. https://dev.arvados.org/issues/19015
  29       env: GEM_HOME
  30       # As we now differentiate where passenger is required or not, we need to
  31       # load this module conditionally, so we add this conditional just to use
  32       # the same pillar file
  33       {% if "install_from_phusionpassenger" == "__NGINX_INSTALL_SOURCE__" %}
  34       # This is required to get the passenger module loaded
  35       # In Debian it can be done with this
  36       # include: 'modules-enabled/*.conf'
  37       load_module: {{ passenger_mod }}
  38       {% endif %}
  39       worker_processes: 4
  40
  41   ### SNIPPETS
  42   snippets:
  43     # Based on https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4
  44     ssl_hardening_default.conf:
  45       - ssl_session_timeout: 1d
  46       - ssl_session_cache: 'shared:arvadosSSL:10m'
  47       - ssl_session_tickets: 'off'
  48
  49       # intermediate configuration
  50       - ssl_protocols: TLSv1.2 TLSv1.3
  51       - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  52       - ssl_prefer_server_ciphers: 'off'
  53
  54       # HSTS (ngx_http_headers_module is required) (63072000 seconds)
  55       - add_header: 'Strict-Transport-Security "max-age=63072000" always'
  56
  57       # OCSP stapling
  58       - ssl_stapling: 'on'
  59       - ssl_stapling_verify: 'on'
  60
  61       # verify chain of trust of OCSP response using Root CA and Intermediate certs
  62       # - ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates
  63
  64       # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
  65       # - ssl_dhparam: /path/to/dhparam
  66
  67       # replace with the IP address of your resolver
  68       # - resolver: 127.0.0.1
  69
  70   ### SITES
  71   servers:
  72     managed:
  73       # Remove default webserver
  74       default:
  75         enabled: false